AGENCY:

National Institute of Standards and Technology (NIST), Commerce.

ACTION:

Notice; request for comments.

SUMMARY:

The National Institute of Standards and Technology announces that it plans to develop Federal Information Processing Standard (FIPS) 140-3, which will supersede FIPS 140-2, Security Requirements for Cryptographic Modules. FIPS 140-2, approved by the Secretary of Commerce and announced in the Federal Register (June 27, 2001, Volume 66, Number 124, Pages 34154-34155), identifies requirements for four levels of security for cryptographic modules that are utilized by Federal agencies to protect the security of Federal information systems. The Federal Information Security Management Act (FISMA) (Public Law 107-347) requires that all Federal agencies and their contractors use only those cryptographic-based security systems that were validated to FIPS 140-2 or to its predecessor, FIPS 140-1.

DATES:

Comments on new and revised requirements for FIPS 140-3 must be received on or before Febrary 28, 2005.

ADDRESSES:

Comments may be sent electronically to FIPS140-3@nist.gov, or may be mailed to Information Technology Laboratory, ATTN: Development of FIPS 140-3, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930. All comments received will be available on the NIST Web site at: http://csrc.nist.gov/​cryptval/​

FOR FURTHER INFORMATION CONTACT:

Mr. Allen Roginsky (301) 975-3603, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930. E-mail: allen.roginsky@nist.gov.

A copy of FIPS 140-2 is available electronically from the NIST Web site at: http://csrc.nist.gov/​publications/​fips/​index.html.

SUPPLEMENTARY INFORMATION:

FIPS 140-2, Security Requirements for Cryptographic Modules, superseded FIPS 140-1, which had been issued in 1994. FIPS 140-1 specified that the standard be reviewed within five years to consider its continued usefulness and to determine whether new or revised requirements should be added. NIST conducted a review of FIPS 140-1 in 1998-99, and the standard was reaffirmed as FIPS 140-2 in 2001 with technical modifications to address technological advances that had occurred since FIPS 140-1 had been issued.

FIPS 140-2 identifies requirements for four increasing, qualitative levels of security for cryptographic modules. The four security levels cover a wide range of potential applications and a wide spectrum of information types, including data with the potential to cause low, moderate and serious impacts on organizations should there be a loss of confidentiality, integrity or availability of the data. In 1995, NIST and the Communications Security Establishment (CSE) of the Government of Canada established the Cryptographic Module Validation Program (CMVP) to validate cryptographic modules to FIPS 140-1 and other cryptography-based standards. Nearly 500 cryptographic modules and many implementations of cryptographic algorithms have been tested by National Voluntary Laboratory Accreditation Program (NVLAP) accredited, independent third-party laboratories and have been validated. Products validated by this program are used in Canada, the U.S., and many other countries. Federal government agencies are required to acquire products that have been validated under the CMVP when they use cryptographic-based security systems to protect their information. The CMVP enables vendors of cryptographic products to use a common standard and a common testing Start Printed Page 2123and validation process for their products.

NIST plans to develop FIPS 140-3 to meet the new and revised requirements of Federal agencies for cryptographic systems, and to address technological and economic changes that have occurred since the issuance of FIPS 140-2. As the first step in the development of FIPS 140-3, NIST invites comments from the public, users, the information technology industry, and Federal, State and local government organizations concerning the need for and recommendations for a new standard.

NIST is especially interested in comments on the following issues:

(1) Compatibility with industry standards.

(2) New technology areas.

(3) Introduction of additional levels of security.

(4) Additional requirements specific to physical security.

(5) Portability of applications (including operating systems) based on platform and/or environment.

Following its review of the comments submitted in response to this notice, NIST will hold open, public workshops in 2005 to discuss the development of FIPS 140-3. These workshops will be announced in the Federal Register with information about participation. NIST expects to propose FIPS 140-3 for public review and comment before recommending the standard to the Secretary of Commerce for approval in 2006.

NIST will develop a plan for a transition period for testing and validating modules to FIPS 140-3, and for agencies to develop plans to acquire products that are compliant with FIPS 140-3. The transition plan will also address the use by Federal agencies of cryptographic modules that have been validated for compliance to FIPS 140-1 and FIPS 140-2.

Authority: Federal Information Processing Standards (FIPS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 (Public Law 107-347).

E.O. 12866: This notice has been determined not to be significant for the purposes of E.O. 12866.